Disaster Recovery Plan Policy

Version1.0.3 Last Updated2024-01-31 APPROVED

1. Overview

AccuCode AI Inc. recognizes the importance of having a robust Disaster Recovery Plan (DRP) to ensure business continuity and minimize the impact of any disaster or major outage on our operations. This policy outlines the requirements for developing, implementing, and maintaining a comprehensive DRP.

2. Purpose

The purpose of this policy is to establish a baseline for creating and maintaining a DRP that describes the process to recover IT systems, applications, and data from any type of disaster causing a major outage. The DRP aims to minimize the impact of disasters on our business operations and protect the confidentiality, integrity, and availability of our clients’ data.

3. Scope

This policy applies to all IT management staff responsible for developing, testing, and updating the DRP. The policy focuses on the requirement to have a DRP and does not provide specific requirements for the content of the plan or its subplans.

4. Policy

4.1 Contingency Plans

The following contingency plans must be created as part of the DRP:

  • Computer Emergency Response Plan: Outlines who to contact, when, and how, as well as the immediate actions to be taken in the event of certain occurrences.
  • Succession Plan: Describes the flow of responsibility when normal staff is unavailable to perform their duties.
  • Data Study: Details the data stored on the systems, its criticality, and its confidentiality.
  • Criticality of Service List: Lists all the services provided and their order of importance, explaining the order of recovery in both short-term and long-term timeframes.
  • Data Backup and Restoration Plan: Details which data is backed up, the media to which it is saved, where that media is stored, and how often the backup is done. It should also describe how that data can be recovered.
  • Equipment Replacement Plan: Describes what equipment is required to begin providing services, lists the order in which it is necessary, and notes where to purchase the equipment.
  • Mass Media Management: Identifies who is in charge of giving information to the mass media and provides guidelines on what data is appropriate to be provided.

4.2 Backup Security and Ransomware Prevention

All client data backups must be encrypted with the same strong, client-specific encryption used for data at rest. Backups should be retained for 180 days and securely destroyed thereafter. To protect against ransomware, AccuCode AI Inc. employs:

  • Regular backups isolated from the main network and inaccessible to unauthorized users
  • Immutable backups that cannot be altered or deleted once written
  • Strict access controls and network segmentation to contain potential attacks
  • Continuous monitoring for suspicious activity and prompt incident response
  • Disaster Recovery and Business Continuity plans to ensure data availability and integrity

4.3 Testing and Updating the DRP

After creating the plans, it is important to practice them to the extent possible. Management should set aside time to test the implementation of the DRP. Table-top exercises should be conducted annually to discover and correct issues that may cause the plan to fail in an environment with few consequences. The DRP should be reviewed and updated on an annual basis at a minimum.

5. Policy Compliance

5.1 Compliance Measurement

The InfoSec team will verify compliance to this policy through various methods, including but not limited to, periodic walk-throughs, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.

5.2 Exceptions

Any exception to the policy must be approved by the InfoSec team in advance.

5.3 Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.